1:05 p.m.
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
No one has access to the private key. It lives on a server that has
no
services running that listen for connections. There is a service that runs
on
it that talks to the signing bridge. That brokers all requests. Users with
access do not know the password to unlock the key. The signing server
manages
access. There is exactly two copies of the private key, one embeded in
encrypted storage on the signing server and a backup of the encrypted
storage
on the backup server. It has been designed to allow the granting and
revocation of access without the need for having a copy of the private key.
https://fedorahosted.org/sigul/ is the software we use
Dennis
Thank you for providing this valuable information about the handling
of the private key that enables Fedora ISO signing. This information
should be shared and highlighted as it is helping to create trust in
the use of this key.
As a personal request, would you be so kind as to confirm the fingerprint
here (and maybe somewhere else), please. Thank you very much.
Ralf
1:24 p.m.
New subject: More prominent link to verification hashes
On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote:
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> No one has access to the private key. It lives on a server that has no
> services running that listen for connections. There is a service that
> runs
> on
> it that talks to the signing bridge. That brokers all requests. Users
> with
> access do not know the password to unlock the key. The signing server
> manages
> access. There is exactly two copies of the private key, one embeded in
> encrypted storage on the signing server and a backup of the encrypted
> storage
> on the backup server. It has been designed to allow the granting and
> revocation of access without the need for having a copy of the private
> key.
>
> https://fedorahosted.org/sigul/ is the software we use
>
> Dennis
Thank you for providing this valuable information about the handling
of the private key that enables Fedora ISO signing. This information
should be shared and highlighted as it is helping to create trust in
the use of this key.
As a personal request, would you be so kind as to confirm the fingerprint
here (and maybe somewhere else), please. Thank you very much.
Which fingerprint? There is a number of keys
Dennis
2:29 p.m.
New subject: More prominent link to verification hashes
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
Which fingerprint? There is a number of keys
Dennis
The one you were referring to in your posting and which
an ordinary user would verify with:
gpg --list-keys --fingerprint 81B46521
Ralf
PS: if you had a long-term signing key it would be its fingerprint.
8:31 a.m.
New subject: More prominent link to verification hashes
On Thursday, February 25, 2016 09:29:26 PM Ralf Senderek wrote:
On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> Which fingerprint? There is a number of keys
>
> Dennis
The one you were referring to in your posting and which
an ordinary user would verify with:
gpg --list-keys --fingerprint 81B46521
Ralf
PS: if you had a long-term signing key it would be its fingerprint.
We have no long term signing key, no way to cross sign the keys, I was
referring to them all in general, not just one in particular.
Dennis
1:10 p.m.
New subject: More prominent link to verification hashes
On Thu, Feb 25, 2016 at 08:05:59PM +0100, Ralf Senderek wrote:
Thank you for providing this valuable information about the handling
of the private key that enables Fedora ISO signing. This information
should be shared and highlighted as it is helping to create trust in
the use of this key.
Where should this information be provided?
As a personal request, would you be so kind as to confirm the
fingerprint
here (and maybe somewhere else), please. Thank you very much.
What would be proper other places to confirm the fingerprint?
Regards
Till
2:32 a.m.
New subject: More prominent link to verification hashes
What would be proper other places to confirm the fingerprint?
The following criteria might be reasonable:
- a place that has authority, that people might trust.
- a place that is hard to impersonate, that has some protection
against unauthorized use
- a place that is visible to many people with a need to verify.
- a place that is known for publishing cross-checked, reliable information
Hope that helps to find such places.
7:27 a.m.
New subject: More prominent link to verification hashes
On Mon, Mar 07, 2016 at 08:32:05AM -0000, Ralf Senderek wrote:
> What would be proper other places to confirm the fingerprint?
The following criteria might be reasonable:
- a place that has authority, that people might trust.
- a place that is hard to impersonate, that has some protection
against unauthorized use
- a place that is visible to many people with a need to verify.
- a place that is known for publishing cross-checked, reliable information
We could possibly add it somewhere on a Red Hat site, which I think
would fit all of these criteria in many people's eyes. Since it's
entirely separate infrastructure from Fedora's websites, that would
significantly raise the bar for any targetted website hacking.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
7:38 a.m.
New subject: More prominent link to verification hashes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Somewhere like archive.org too maybe -- again totally separate
inrastructure + it could be used as a un-official 'official' hash
vault for checking.
On 03/07/2016 08:27 AM, Matthew Miller wrote:
On Mon, Mar 07, 2016 at 08:32:05AM -0000, Ralf Senderek wrote:
>>> What would be proper other places to confirm the fingerprint? >>
The following criteria might be reasonable: >> - a place that has
authority, that people might trust. >> - a place that is hard to
impersonate, that has some protection >> against unauthorized use
> - a place that is visible to many people with a need to
verify.
> - a place that is known for publishing cross-checked, reliable
information
> > We could possibly add it somewhere on a Red Hat site,
which I think > would fit all of these criteria in many people's eyes.
Since it's > entirely separate infrastructure from Fedora's websites,
that would > significantly raise the bar for any targetted website
hacking. >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW3YRJAAoJEHeOgyS7CC5mMTkP/A7LqGO4H6KH/EQ3i/j2LG9M
rDFZ0l6tfgG3bVebKI/kxrF4nV3EIDS7n77Fo79dX24xhHIQlabhzgDz6p2slhqu
1gjG0DExIYLgyyGvfWHFj253vq1fkYZMKftftLPQZxD4krnYAUtwpGaPkEN0q/gM
swumcurdgcjlKUwHc195mcSMbE+2tNDJJ49hU44uYpKWtESajWXZ+n3EOvDsj+lj
2W3gdHpqrPJZbgTPtU8FWgmYQNq3ExDWp6Iayz2S2emeSoimjLJYCtrpPSXLRJBw
WC0TZFbZs8cZ0lJy+QJQmpm0n4M0SYRxB2rAN2R3tQ3Ro/KRC0QcEP1Yvwq0QUCK
IXiSp0QI3PftKl2SEbSdTKJW8dN0lM+Hd8ZT6EyqGWVHvlKnnaKbHCVJXzi3Acqc
UngJtGcmEMubbW02Zkpd1Odk008kUDl4AeD9wuCtwKls+fkrKjJPktIiAL7EJcLL
cSf/yYxHjw4GnSfPFkGVHEBmSZm6O3gpRh7jjdzECcBb1WQtLZ8l7iV3EJu16FWu
B4TPyV8PxAbzwehR2ZsZIXH5vB/VMLihh+gzt28cenOc/gvgC/eYsd5kmEuRsL52
jDRnGSP27my8PJ/kzcvn5ldi30NtGigpll0Ff8isl0kjg66oJaax5ouJlHQpTmjQ
D4HmOiouIBG/F91Izwfi
=6G93
-----END PGP SIGNATURE-----
9:27 a.m.
New subject: More prominent link to verification hashes
On 7 March 2016 at 01:32, Ralf Senderek <fedora(a)senderek.ie> wrote:
> What would be proper other places to confirm the fingerprint?
The following criteria might be reasonable:
- a place that has authority, that people might trust.
- a place that is hard to impersonate, that has some protection
against unauthorized use
- a place that is visible to many people with a need to verify.
- a place that is known for publishing cross-checked, reliable information
Hope that helps to find such places.
Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.
We put it in redhat.com and people who hate corporations or that Red
Hat sponsors this project assume that if Red Hat were paid enough
money they would change the data any time.
We put it in archive.org and people wonder how we can tell it isn't
impersonated by some other site or that someone else isn't changing
it.
We put it in lwn.net and people wonder how they will know where to
find it or why we didn't choose reddit/slashdot/etc/etc.
We get google to host it and people wonder all of the above.
--
Stephen J Smoogen.
10:17 a.m.
New subject: More prominent link to verification hashes
On Mon, 7 Mar 2016, Stephen John Smoogen wrote:
> Hope that helps to find such places.
Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.
We put it in redhat.com and people who hate corporations or that Red
Hat sponsors this project assume that if Red Hat were paid enough
money they would change the data any time.
We put it in archive.org and people wonder how we can tell it isn't
impersonated by some other site or that someone else isn't changing
it.
We put it in lwn.net and people wonder how they will know where to
find it or why we didn't choose reddit/slashdot/etc/etc.
We get google to host it and people wonder all of the above.
Stephen,
please bear in mind that it's not a measure to make everyone happy,
publishing the fingerprint(s) is meant to prevent faking of the key.
And this is much more than providing only self-signed keys without
linking them to first-hand knowledge about their authenticity.
You don't have to come up with a solution that suits everyone, as
long as it is enough to make faking a really hard job for anyone.
12:08 p.m.
New subject: More prominent link to verification hashes
On Mon, Mar 7, 2016 at 8:27 AM, Stephen John Smoogen <smooge(a)gmail.com> wrote:
On 7 March 2016 at 01:32, Ralf Senderek <fedora(a)senderek.ie>
wrote:
>> What would be proper other places to confirm the fingerprint?
>
> The following criteria might be reasonable:
> - a place that has authority, that people might trust.
> - a place that is hard to impersonate, that has some protection
> against unauthorized use
> - a place that is visible to many people with a need to verify.
> - a place that is known for publishing cross-checked, reliable information
>
> Hope that helps to find such places.
Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.
We put it in redhat.com and people who hate corporations or that Red
Hat sponsors this project assume that if Red Hat were paid enough
money they would change the data any time.
We put it in archive.org and people wonder how we can tell it isn't
impersonated by some other site or that someone else isn't changing
it.
We put it in lwn.net and people wonder how they will know where to
find it or why we didn't choose reddit/slashdot/etc/etc.
We get google to host it and people wonder all of the above.
Get them all to host it. That oughta bypass any tomfoolery.
--
Chris Murphy
2966
days inactive
2977
days old
11 comments
7 participants
participants (7)
-
Chris Murphy -
Corey Sheldon -
Dennis Gilmore -
Matthew Miller -
Ralf Senderek -
Stephen John Smoogen -
Till Maas